Openswan 自更新后出现故障

Openswan 自更新后出现故障

出于安全原因,我已将 openswan 从先前版本更新至 U2.6.32/K2.6.18-194.el5 (netkey)

从那一刻起,我一直遇到隧道不断掉线的情况,我检查了 /var/log/secure 日志,但未能发现问题......

此外,当我输入时,命令会出现一些奇怪的行为

service ipsec status

它长时间没有响应(大约 5 分钟),当它最终响应时,它说没有隧道

经过多次重启和几个小时的冷汗后开始工作正常...

以下是多次服务重启之间的时间间隔的日志……

包含“pluto”条目的 /var/log/secure/ 日志:

MYSERVER ipsec__plutorun: Starting Pluto subsystem...
MYSERVER pluto[8607]: nss directory plutomain: /etc/ipsec.d
MYSERVER pluto[8607]: NSS Initialized
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:8607
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: LEAK_DETECTIVE support [disabled]
MYSERVER pluto[8607]: OCF support for IKE [disabled]
MYSERVER pluto[8607]: SAref support [disabled]: Protocol not available
MYSERVER pluto[8607]: SAbind support [disabled]: Protocol not available
MYSERVER pluto[8607]: NSS support [enabled]
MYSERVER pluto[8607]: HAVE_STATSD notification support not compiled in
MYSERVER pluto[8607]: Setting NAT-Traversal port-4500 floating to off
MYSERVER pluto[8607]:    port floating activation criteria nat_t=0/port_float=1
MYSERVER pluto[8607]:    NAT-Traversal support  [disabled]
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
MYSERVER pluto[8607]: starting up 7 cryptographic helpers
MYSERVER pluto[8607]: started helper (thread) pid=47968782256448 (fd:10)
MYSERVER pluto[8607]: started helper (thread) pid=47968792754496 (fd:12)
MYSERVER pluto[8607]: started helper (thread) pid=47968803252544 (fd:14)
MYSERVER pluto[8607]: started helper (thread) pid=47968813750592 (fd:16)
MYSERVER pluto[8607]: started helper (thread) pid=47968824240448 (fd:18)
MYSERVER pluto[8607]: started helper (thread) pid=47968834746688 (fd:20)
MYSERVER pluto[8607]: started helper (thread) pid=47968845244736 (fd:22)
MYSERVER pluto[8607]: Using Linux 2.6 IPsec interface code on 2.6.18-194.el5 (experimental code)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/cacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/aacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/crls'
MYSERVER pluto[8607]: | selinux support is NOT enabled. 
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: listening for IKE messages
MYSERVER pluto[8607]: adding interface virbr0/virbr0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo ::1:500
MYSERVER pluto[8607]: loading secrets from "/etc/ipsec.secrets"
MYSERVER pluto[8607]: "/etc/ipsec.secrets" line 14: CKAIDNSS keyword not found where expected in RSA key
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx" #1: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #2: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: "connVPNxxx" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #3: initiating Main Mode
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: starting keying attempt 2 of an unlimited number, but releasing whack
MYSERVER pluto[8607]: "connVPNxxx" #4: initiating Main Mode to replace #1
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #2: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: starting keying attempt 2 of an unlimited number
MYSERVER pluto[8607]: "connVPNxxx" #5: initiating Main Mode to replace #2
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: shutting down
MYSERVER pluto[8607]: forgetting secrets
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #3: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #4: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #5: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: shutting down interface lo/lo ::1:500
MYSERVER pluto[8607]: shutting down interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface virbr0/virbr0 xx.xx.xx.xx:500

ipsec.conf

/etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
    klipsdebug=none
    nat_traversal=no
####### forwardcontrol=yes
    oe=off
    plutodebug=none
    protostack=netkey
####### virtual_private=%v4:xx.xx.xx/8,%v4:xx.xx.xx/16,%v4:xx.xx.xx/12

conn connVPNxxx1
        left=xx.xx.xx
        leftid=xx.xx.xx
        leftsubnet=xx.xx.xx/32
        leftsourceip=xx.xx.xx
        right=xx.xx.xx
        rightid=xx.xx.xx
        rightsubnet=xx.xx.xx/32
        rightsourceip=xx.xx.xx
        auto=start
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        ikelifetime=28800s
        keylife=3600s
        keyexchange=ike
        pfs=no
        type=tunnel

conn connVPNxxx2
        left=xx.xx.xx
        leftid=xx.xx.xx
##20-11-2014 leftnexthop=%direct
        leftsubnet=xx.xx.xx/32
    leftsourceip=xx.xx.xx
        right=xx.xx.xx
        rightid=xx.xx.xx
##20-11-2014 rightnexthop=%direct
        rightsubnet=xx.xx.xx/32
    rightsourceip=xx.xx.xx
        auto=start
        authby=secret
        ike=3des-sha1-modp1024
    esp=3des-sha1
        ikelifetime=28800s
        keylife=3600s
        keyexchange=ike
        pfs=yes
        type=tunnel



conn vpnxxx3
         left=xx.xx.xx
         leftid=xx.xx.xx
##20-11-2014  leftnexthop=%direct
         leftsubnet=xx.xx.xx/32
         leftsourceip=xx.xx.xx
         right=xx.xx.xx
         rightid=xx.xx.xx
##20-11-2014 rightnexthop=%direct
         rightsubnet=xx.xx.xx/32
         rightsourceip=xx.xx.xx
         auto=start
         authby=secret
         ike=3des-sha1-modp1024
         esp=3des
         ikelifetime=28800s
         keylife=3600s
         keyexchange=ike
         pfs=no
         type=tunnel

相关内容